Working with Buffers

Working with Buﬀers Seminar Eﬃcient Programming in C

Christoph Brauer

Scientiﬁc Computing Research Group University Hamburg

December , Table of Contents

Preface

Introduction to C buﬀers and storage variants

Runtime allocation eﬃciency

Security concerns

Literature

Discussion as a hardcopy, should lie just in front of you for download, use these for your own experiments

Data is stored in little-endian format CPU registers and pointers are bits

Not ANSI C but gcc’s ISO C dialect default -O0

really working available ...

Linux running on amd architecture

gcc . with recent binutils ( as, ld, gas, objdump ... )

Examples themselves are

Please ask me just inbetween !

Preface Environment used for examples

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

Not ANSI C but gcc’s ISO C dialect default -O0

really working available ...

Data is stored in little-endian format CPU registers and pointers are bits gcc . with recent binutils ( as, ld, gas, objdump ... )

Examples themselves are

Please ask me just inbetween !

Preface Environment used for examples Linux running on amd architecture

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

Not ANSI C but gcc’s ISO C dialect default -O0

really working available ...

CPU registers and pointers are bits gcc . with recent binutils ( as, ld, gas, objdump ... )

Examples themselves are

Please ask me just inbetween !

Preface Environment used for examples Linux running on amd architecture Data is stored in little-endian format

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

Not ANSI C but gcc’s ISO C dialect default -O0

really working available ...

gcc . with recent binutils ( as, ld, gas, objdump ... )

Examples themselves are

Please ask me just inbetween !

Preface Environment used for examples Linux running on amd architecture Data is stored in little-endian format CPU registers and pointers are bits

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

really working available ...

Not ANSI C but gcc’s ISO C dialect default -O0 Examples themselves are

Please ask me just inbetween !

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

really working available ...

default -O0 Examples themselves are

Please ask me just inbetween !

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

really working available ...

Examples themselves are

Please ask me just inbetween !

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

really working available ...

Please ask me just inbetween !

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments

available ...

Please ask me just inbetween !

Preface Environment used for examples Linux running on amd architecture Data is stored in little-endian format CPU registers and pointers are bits gcc . with recent binutils ( as, ld, gas, objdump ... ) Not ANSI C but gcc’s ISO C dialect default -O0 Examples themselves are really working

/ as a hardcopy, should lie just in front of you for download, use these for your own experiments Please ask me just inbetween !

/ for download, use these for your own experiments Please ask me just inbetween !

/ Please ask me just inbetween !

/ Preface Environment used for examples Linux running on amd architecture Data is stored in little-endian format CPU registers and pointers are bits gcc . with recent binutils ( as, ld, gas, objdump ... ) Not ANSI C but gcc’s ISO C dialect default -O0 Examples themselves are really working available ... as a hardcopy, should lie just in front of you for download, use these for your own experiments Please ask me just inbetween !

/ Introduction to C buﬀers and storage variants that is assigned data of the same type and allocated using the C programming language

a continuous area of general computer memory ...

A C buﬀer is ...

Just some buﬀers hellobuﬀers.c

1 typedef unsigned long long int uint64_t ; 2 3 int main ( void) 4 { 5 char bufPtr1[32] ="Jay Miner"; 6 char *bufPtr2 ="Jack Tramiel"; 7 uint64_t *bufPtr3 = malloc ( 16 * sizeof ( uint64_t ) ) ; 8 int bufPtr4[4] = { 0x1234, 0x4567, 0xdead, 0xbeef } ; 9 return(0); 10 }

Introduction to C buffers and storage variants Definition What is a C buffer ?

/ that is assigned data of the same type and allocated using the C programming language

a continuous area of general computer memory ...

Just some buﬀers hellobuﬀers.c

Introduction to C buffers and storage variants Definition What is a C buffer ? A C buffer is ...

/ that is assigned data of the same type and allocated using the C programming language

Just some buﬀers hellobuﬀers.c

Introduction to C buffers and storage variants Definition What is a C buffer ? A C buffer is ... a continuous area of general computer memory ...

/ and allocated using the C programming language

Just some buﬀers hellobuﬀers.c

Introduction to C buffers and storage variants Definition What is a C buffer ? A C buffer is ... a continuous area of general computer memory ... that is assigned data of the same type

/ Just some buﬀers hellobuﬀers.c

Introduction to C buffers and storage variants Definition What is a C buffer ? A C buffer is ... a continuous area of general computer memory ... that is assigned data of the same type and allocated using the C programming language

/ Introduction to C buffers and storage variants Definition What is a C buffer ? A C buffer is ... a continuous area of general computer memory ... that is assigned data of the same type and allocated using the C programming language

Just some buﬀers hellobuﬀers.c

/ Program output Greetings, Professor Falken.

Nothing really going on here ?

Introduction to C buffers and storage variants One simple buffer One simple buffer simplebuffer.c

1 int main ( void) 2 { 3 char *myBufferPtr ="Greetings, Professor Falken.\n"; 4 printf ("%s", myBufferPtr ) ; 5 return(0); 6 }

/ Nothing really going on here ?

Introduction to C buffers and storage variants One simple buffer One simple buffer simplebuffer.c

1 int main ( void) 2 { 3 char *myBufferPtr ="Greetings, Professor Falken.\n"; 4 printf ("%s", myBufferPtr ) ; 5 return(0); 6 }

Program output Greetings, Professor Falken.

/ Introduction to C buffers and storage variants One simple buffer One simple buffer simplebuffer.c

1 int main ( void) 2 { 3 char *myBufferPtr ="Greetings, Professor Falken.\n"; 4 printf ("%s", myBufferPtr ) ; 5 return(0); 6 }

Program output Greetings, Professor Falken.

Nothing really going on here ?

/ Program output Address of myBufferPtr : 0x00007fffffffe228 Content of myBufferPtr : 0x0000000000400690 Size of myBufferPtr : 8 Size of buffer : 30 Content of buffer : Greetings, Professor Falken.

Introduction to C buffers and storage variants One simple verbose buffer One simple verbose buffer verbosebuffer.c

1 int main ( void) 2 { 3 char *myBufferPtr ="Greetings, Professor Falken.\n"; 4 5 printf ("Address of myBufferPtr: %016p\n", &myBufferPtr ) ; 6 printf ("Content of myBufferPtr: %016p\n", myBufferPtr ) ; 7 printf ("Size of myBufferPtr:%d\n", sizeof(myBufferPtr) ) ; 8 printf ("Size of buffer:%d\n", strlen ( myBufferPtr ) + 1 ) ; 9 printf ("Content of buffer:%s\n", myBufferPtr ) ; 10 return(0); 11 }

/ Introduction to C buffers and storage variants One simple verbose buffer One simple verbose buffer verbosebuffer.c

Program output Address of myBufferPtr : 0x00007fffffffe228 Content of myBufferPtr : 0x0000000000400690 Size of myBufferPtr : 8 Size of buffer : 30 Content of buffer : Greetings, Professor Falken.

/ myBuﬀerPtr and the actual buﬀer illustrated

Introduction to C buﬀers and storage variants One simple verbose buﬀer illustrated Program output Address of myBufferPtr : 0x00007fffffffe228 Content of myBufferPtr : 0x0000000000400690 Size of myBufferPtr : 8 Size of buffer : 30 Content of buffer : Greetings, Professor Falken.

/ Introduction to C buffers and storage variants One simple verbose buffer illustrated Program output Address of myBufferPtr : 0x00007fffffffe228 Content of myBufferPtr : 0x0000000000400690 Size of myBufferPtr : 8 Size of buffer : 30 Content of buffer : Greetings, Professor Falken. myBufferPtr and the actual buffer illustrated

/ The pointer is a variable that contains the address of the lowest byte occupied by the buffer The buffer forms a compound area in memory Buffers and pointers are two very different things, though it’s fairly easy to mix them up

Introduction to C buffers and storage variants One simple verbose buffer illustrated myBufferPtr and the actual buffer illustrated

/ The buffer forms a compound area in memory Buffers and pointers are two very different things, though it’s fairly easy to mix them up

Introduction to C buffers and storage variants One simple verbose buffer illustrated myBufferPtr and the actual buffer illustrated

The pointer is a variable that contains the address of the lowest byte occupied by the buﬀer

/ Buﬀers and pointers are two very diﬀerent things, though it’s fairly easy to mix them up

Introduction to C buffers and storage variants One simple verbose buffer illustrated myBufferPtr and the actual buffer illustrated

The pointer is a variable that contains the address of the lowest byte occupied by the buﬀer The buﬀer forms a compound area in memory

/ Introduction to C buffers and storage variants One simple verbose buffer illustrated myBufferPtr and the actual buffer illustrated

The pointer is a variable that contains the address of the lowest byte occupied by the buffer The buffer forms a compound area in memory Buffers and pointers are two very different things, though it’s fairly easy to mix them up

/ Program output ( simply all pointers printed ) Address of staticConstBuffer : 0x00000000004008c0 Address of staticEmptyBuffer : 0x0000000000600c60 Address of staticPresetBuffer : 0x0000000000600c20 Address of stackBuffer : 0x00007fffffffe1f0 Address of constBuffer : 0x00000000004007a0 Address of heapBuffer : 0x0000000000601010

Introduction to C buffers and storage variants Various buffers Various different buffers variousbuffers.c

1 static const char staticConstBuffer[32] ="Hello, Dave."; 2 static char staticEmptyBuffer[32] ; 3 static char staticPresetBuffer[32] ="Hello, Dave."; 4 char stackBuffer[32] ="Hello, Dave."; 5 char *constBuffer ="Hello, Dave"; 6 char *heapBuffer = (char*) malloc ( 32 ) ; 7 strcpy ( staticEmptyBuffer,"Hello, Dave."); 8 strcpy ( heapBuffer,"Hello, Dave.");

/ Introduction to C buffers and storage variants Various buffers Various different buffers variousbuffers.c

Program output ( simply all pointers printed ) Address of staticConstBuffer : 0x00000000004008c0 Address of staticEmptyBuffer : 0x0000000000600c60 Address of staticPresetBuffer : 0x0000000000600c20 Address of stackBuffer : 0x00007fffffffe1f0 Address of constBuffer : 0x00000000004007a0 Address of heapBuffer : 0x0000000000601010

/ buﬀers with similar characteristics are allocated in the very same memory area? or even the other way round : the memory areas, in which buﬀers are allocated, determine their characteristics?

Introduction to C buﬀers and storage variants Various buﬀers Program output ( simply all pointers printed ) Address of staticConstBuffer : 0x00000000004008c0 Address of staticEmptyBuffer : 0x0000000000600c60 Address of staticPresetBuffer : 0x0000000000600c20 Address of stackBuffer : 0x00007fffffffe1f0 Address of constBuffer : 0x00000000004007a0 Address of heapBuffer : 0x0000000000601010

/ buﬀers with similar characteristics are allocated in the very same memory area? or even the other way round : the memory areas, in which buﬀers are allocated, determine their characteristics?

... some others are at the ”top” of the memory and ”distanced” several terabytes Could it probably be that ...

Some buﬀers are located at the ”bottom” of the memory and just several bytes ”away” from each other ...

/ buﬀers with similar characteristics are allocated in the very same memory area? or even the other way round : the memory areas, in which buﬀers are allocated, determine their characteristics?

Could it probably be that ...

/ buﬀers with similar characteristics are allocated in the very same memory area? or even the other way round : the memory areas, in which buﬀers are allocated, determine their characteristics?

/ or even the other way round : the memory areas, in which buﬀers are allocated, determine their characteristics?

Some buﬀers are located at the ”bottom” of the memory and just several bytes ”away” from each other ...... some others are at the ”top” of the memory and ”distanced” several terabytes Could it probably be that ... buﬀers with similar characteristics are allocated in the very same memory area?

/ Introduction to C buﬀers and storage variants Various buﬀers Program output ( simply all pointers printed ) Address of staticConstBuffer : 0x00000000004008c0 Address of staticEmptyBuffer : 0x0000000000600c60 Address of staticPresetBuffer : 0x0000000000600c20 Address of stackBuffer : 0x00007fffffffe1f0 Address of constBuffer : 0x00000000004007a0 Address of heapBuffer : 0x0000000000601010

/ Introduction to C buﬀers and storage variants Excursion - Linux Virtual Memory The Linux virtual process address spaces

/ There is a pmap command to display the current memory map of a running process ( Linux, Net/Open/FreeBSD, SunOS ... )

Output of the pmap command

1 $ pmap ‘pgrep variousbuffers‘ 2 4937: ./variousbuffers.elf 3 0000000000400000 4K r-x-- /home/krusty/code/variousbuffers.elf 4 0000000000600000 4K rw--- /home/krusty/code/variousbuffers.elf 5 0000000000601000 132K rw--- [ anon ] 6 00007ffff7a56000 1524K r-x-- /lib/x86_64-linux-gnu/libc-2.13.so 7 00007ffff7ff7000 16K rw--- [ anon ] 8 00007ffff7ffb000 4K r-x-- [ anon ] 9 00007ffff7ffc000 4K r---- /lib/x86_64-linux-gnu/ld-2.13.so 10 00007ffff7ffd000 4K rw--- /lib/x86_64-linux-gnu/ld-2.13.so 11 00007ffff7ffe000 4K rw--- [ anon ] 12 00007ffffffde000 132K rw--- [ stack ] 13 ffffffffff600000 4K r-x-- [ anon ] 14 $

Introduction to C buﬀers and storage variants Excursion - Linux Virtual Memory How can we ﬁnd out which sections our program uses and where those are located in virtual memory ?

/ Output of the pmap command

Introduction to C buﬀers and storage variants Excursion - Linux Virtual Memory How can we ﬁnd out which sections our program uses and where those are located in virtual memory ? There is a pmap command to display the current memory map of a running process ( Linux, Net/Open/FreeBSD, SunOS ... )

/ Introduction to C buﬀers and storage variants Excursion - Linux Virtual Memory How can we ﬁnd out which sections our program uses and where those are located in virtual memory ? There is a pmap command to display the current memory map of a running process ( Linux, Net/Open/FreeBSD, SunOS ... )

Output of the pmap command

/ Introduction to C buﬀers and storage variants Buﬀer to section mapping The Linux virtual process address spaces

/ have a ﬁxed size and a ﬁxed layout that is determined before any line of your code is run thus they do not require any runtime management

do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

Sections are assigned access privileges The text sections contains executable code and constants The data sections contains static variables Both section ...

Stack and heap sections

Introduction to C buﬀers and storage variants Section properties

Address space

/ have a ﬁxed size and a ﬁxed layout that is determined before any line of your code is run thus they do not require any runtime management

do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

The text sections contains executable code and constants The data sections contains static variables Both section ...

Stack and heap sections

Introduction to C buﬀers and storage variants Section properties Sections are assigned access privileges Address space

/ have a ﬁxed size and a ﬁxed layout that is determined before any line of your code is run thus they do not require any runtime management

do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

The data sections contains static variables Both section ...

Stack and heap sections

Introduction to C buﬀers and storage variants Section properties Sections are assigned access privileges The text sections contains executable code and Address space constants

/ have a ﬁxed size and a ﬁxed layout that is determined before any line of your code is run thus they do not require any runtime management

do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

Both section ...

Stack and heap sections

/ do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

have a ﬁxed size and a ﬁxed layout that is determined before any line of your code is run thus they do not require any runtime management Stack and heap sections

/ do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

thus they do not require any runtime management Stack and heap sections

/ do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

Stack and heap sections

Introduction to C buffers and storage variants Section properties Sections are assigned access privileges The text sections contains executable code and Address space constants The data sections contains static variables Both section ... have a fixed size and a fixed layout that is determined before any line of your code is run thus they do not require any runtime management

/ do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

/ have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

/ thus they do require runtime management

/ Introduction to C buffers and storage variants Section properties Sections are assigned access privileges The text sections contains executable code and Address space constants The data sections contains static variables Both section ... have a fixed size and a fixed layout that is determined before any line of your code is run thus they do not require any runtime management Stack and heap sections do not contain pre-initialized data have a starting size which can ( and most probably will ) be resized during program execution thus they do require runtime management

/ Runtime allocation eﬃciency Stack allocations Heap allocations

Thus they can not appear in any loops and are not in the scope of eﬃciency issues anyway So in the upcoming section we will focus on

Runtime allocation eﬃciency Eﬃciency scope

Static allocations are only performed once during program initialization

/ Stack allocations Heap allocations

So in the upcoming section we will focus on

Runtime allocation eﬃciency Eﬃciency scope

Static allocations are only performed once during program initialization Thus they can not appear in any loops and are not in the scope of eﬃciency issues anyway

/ Stack allocations Heap allocations

Runtime allocation eﬃciency Eﬃciency scope

Static allocations are only performed once during program initialization Thus they can not appear in any loops and are not in the scope of eﬃciency issues anyway So in the upcoming section we will focus on

/ Heap allocations

Runtime allocation eﬃciency Eﬃciency scope

/ Runtime allocation eﬃciency Eﬃciency scope

/ function return addresses local variables ( sometimes ) function arguments

Stack is organized as a ( Last In - First Out ) LIFO queue Growing from high to low addresses Most often used as a general temporary data storage

Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

Runtime allocation eﬃciency The Stack

Example byte stack of a bit machine

/ function return addresses local variables ( sometimes ) function arguments

Growing from high to low addresses Most often used as a general temporary data storage

Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

Runtime allocation eﬃciency The Stack Stack is organized as a ( Last In - First Out ) LIFO queue Example byte stack of a bit machine

/ function return addresses local variables ( sometimes ) function arguments

Most often used as a general temporary data storage

Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

Runtime allocation eﬃciency The Stack Stack is organized as a ( Last In - First Out ) LIFO queue Growing from high to low addresses Example byte stack of a bit machine

/ function return addresses local variables ( sometimes ) function arguments Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

/ local variables ( sometimes ) function arguments Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

/ ( sometimes ) function arguments Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

/ Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

Runtime allocation eﬃciency The Stack Stack is organized as a ( Last In - First Out ) LIFO queue Growing from high to low addresses Example byte stack of Most often used as a general temporary data storage a bit machine function return addresses local variables ( sometimes ) function arguments

/ SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

/ x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

/ Runtime allocation eﬃciency The Stack Stack is organized as a ( Last In - First Out ) LIFO queue Growing from high to low addresses Example byte stack of Most often used as a general temporary data storage a bit machine function return addresses local variables ( sometimes ) function arguments Stackpointer ( SP ) denotes current stack position SP is almost always a CPU register, on AMD it is RSP x CPUs do push elements by decrementing the SP ﬁrst and storing the value afterwards

/ Stackframe

Runtime allocation eﬃciency The Stack Small stack example

1 void secondFunction ( void) 2 { 3 char secondBuffer[] ="Crunch"; 4 } 5 6 7 void firstFunction ( void) 8 { 9 char firstBuffer[] ="Captain"; 10 secondFunction () ; 11 // return point to firstFunction 12 } 13 14 int main ( void) 15 { 16 firstFunction () ; 17 // return point to main function 18 return(0); 19 }

/ Runtime allocation eﬃciency The Stack

Small stack example Stackframe

/ A can pass its local stack data to B for it’s located ”above” B’s stackframe and thus can not be overwritten by B B can not pass its local stack data to A because B’s stackframe is located ”beyond” A’s stackframe and thus will be simpy overwritten by subsequent function calls of A

the current function simply claims all the stackspace from the current stackpointer to the stack bottom local stack data is simply written consecutively allocation is really nothing but altering a pointer The major drawback of stack allocation is the limited lifespan of the stack data For instance, let A and B be functions such that function A calls function B

Runtime allocation eﬃciency The Stack Stack allocation requires few ressources for

local stack data is simply written consecutively allocation is really nothing but altering a pointer The major drawback of stack allocation is the limited lifespan of the stack data For instance, let A and B be functions such that function A calls function B

Runtime allocation eﬃciency The Stack Stack allocation requires few ressources for the current function simply claims all the stackspace from the current stackpointer to the stack bottom

allocation is really nothing but altering a pointer The major drawback of stack allocation is the limited lifespan of the stack data For instance, let A and B be functions such that function A calls function B

The major drawback of stack allocation is the limited lifespan of the stack data For instance, let A and B be functions such that function A calls function B

For instance, let A and B be functions such that function A calls function B

Runtime allocation eﬃciency The Stack Stack allocation requires few ressources for the current function simply claims all the stackspace from the current stackpointer to the stack bottom local stack data is simply written consecutively allocation is really nothing but altering a pointer The major drawback of stack allocation is the limited lifespan of the stack data For instance, let A and B be functions such that function A calls function B

/ B can not pass its local stack data to A because B’s stackframe is located ”beyond” A’s stackframe and thus will be simpy overwritten by subsequent function calls of A

/ Runtime allocation eﬃciency The Stack Stack allocation requires few ressources for the current function simply claims all the stackspace from the current stackpointer to the stack bottom local stack data is simply written consecutively allocation is really nothing but altering a pointer The major drawback of stack allocation is the limited lifespan of the stack data For instance, let A and B be functions such that function A calls function B A can pass its local stack data to B for it’s located ”above” B’s stackframe and thus can not be overwritten by B B can not pass its local stack data to A because B’s stackframe is located ”beyond” A’s stackframe and thus will be simpy overwritten by subsequent function calls of A

/ Heap management is a shared task of OS and userspace functions

If you are not happy with malloc, simply write your own!

So the heap is just one big bunch of memory Resizing the heap section is done by the OS, though management of data structure allocation on the heap is done by the executing program itself

Traditionally, heap memory allocation is done by malloc, which is part of libc

Runtime allocation eﬃciency The Heap Unlike the stack, there is no such thing as a shared ”heap pointer”

/ Heap management is a shared task of OS and userspace functions

If you are not happy with malloc, simply write your own!

Resizing the heap section is done by the OS, though management of data structure allocation on the heap is done by the executing program itself

Traditionally, heap memory allocation is done by malloc, which is part of libc

Runtime allocation eﬃciency The Heap Unlike the stack, there is no such thing as a shared ”heap pointer” So the heap is just one big bunch of memory

/ If you are not happy with malloc, simply write your own!

Heap management is a shared task of OS and userspace functions Traditionally, heap memory allocation is done by malloc, which is part of libc

/ If you are not happy with malloc, simply write your own!

Traditionally, heap memory allocation is done by malloc, which is part of libc

Runtime allocation eﬃciency The Heap Unlike the stack, there is no such thing as a shared ”heap pointer” So the heap is just one big bunch of memory Resizing the heap section is done by the OS, though management of data structure allocation on the heap is done by the executing program itself Heap management is a shared task of OS and userspace functions

/ If you are not happy with malloc, simply write your own!

/ Runtime allocation eﬃciency The Heap Unlike the stack, there is no such thing as a shared ”heap pointer” So the heap is just one big bunch of memory Resizing the heap section is done by the OS, though management of data structure allocation on the heap is done by the executing program itself Heap management is a shared task of OS and userspace functions Traditionally, heap memory allocation is done by malloc, which is part of libc If you are not happy with malloc, simply write your own!

/ Runtime allocation eﬃciency The Heap Heap ( malloc )

/ Runtime allocation eﬃciency The Heap Heap ( malloc ) char *firstPtr = malloc ( 2048 ) ;

char *secondPtr = malloc ( 512 ) ;

/ What happens if we want to allocate another bytes ? We actually have enough space in sum, though we can’t allocate one compound block

Runtime allocation eﬃciency The Heap Heap ( malloc ) free ( firstPtr ) ;

/ We actually have enough space in sum, though we can’t allocate one compound block

Runtime allocation eﬃciency The Heap Heap ( malloc ) free ( firstPtr ) ;

What happens if we want to allocate another bytes ?

/ Runtime allocation eﬃciency The Heap Heap ( malloc ) free ( firstPtr ) ;

What happens if we want to allocate another bytes ? We actually have enough space in sum, though we can’t allocate one compound block

/ Runtime allocation eﬃciency The Heap Heap ( malloc ) - Fragmentation and Resizing char *thirdPtr = malloc ( 3072 ) ;

/ speed for maintaining a doubly linked list size due to fragmentation and extra management chunks added to the heap

Allocated data has no lifetime restrictions Allocation process suﬀers eﬃciency issues in terms of

Runtime allocation eﬃciency The Heap If you want to see malloc in action requesting OS memory, try the ”strace” program and watch for execution of brk / mmap functions

/ speed for maintaining a doubly linked list size due to fragmentation and extra management chunks added to the heap

Allocation process suﬀers eﬃciency issues in terms of

/ speed for maintaining a doubly linked list size due to fragmentation and extra management chunks added to the heap

Runtime allocation efficiency The Heap If you want to see malloc in action requesting OS memory, try the ”strace” program and watch for execution of brk / mmap functions Allocated data has no lifetime restrictions Allocation process suffers efficiency issues in terms of

/ size due to fragmentation and extra management chunks added to the heap

/ Runtime allocation efficiency The Heap If you want to see malloc in action requesting OS memory, try the ”strace” program and watch for execution of brk / mmap functions Allocated data has no lifetime restrictions Allocation process suffers efficiency issues in terms of speed for maintaining a doubly linked list size due to fragmentation and extra management chunks added to the heap

/ Runtime allocation eﬃciency Assumptions Now that we have an idea about how several allocation mechanism might perform, let’s see if reality proves it right

/ Runtime allocation eﬃciency Static vs. Stack Static vs. Stack staticvsstack.c

1 #define NUMLOOPS (1000*1000*1000*2) 2 #defineMYSTRING"Hello,I ama string, actuallyI am not that horrible long thoughI can cause some serious performance impact." 3 4 void fillBufferFromStack ( char *destBuffer ) 5 { char myStackBuffer[] = MYSTRING ; 6 strcpy ( destBuffer, myStackBuffer ) ; } 7 8 void fillBufferFromStatic ( char *destBuffer ) 9 { static char myStaticBuffer[] = MYSTRING ; 10 strcpy ( destBuffer, myStaticBuffer ) ; } 11 12 int main ( void) 13 { 14 static char destBuffer[512] ; 15 for ( uint64_t i = 0 ; i < NUMLOOPS ; i++ ) 16 fillBufferFromStack ( destBuffer ) ; 17 for ( uint64_t i = 0 ; i < NUMLOOPS ; i++ ) 18 fillBufferFromStatic ( destBuffer ) ; 19 return(0); 20 }

/ gprof results

1 % cumulative self self total 2 time seconds seconds calls ns/call ns/call name 3 76.11 29.42 29.42 2000000000 14.71 14.71 fillBufferFromStack 4 11.05 33.69 4.27 2000000000 2.14 2.14 fillBufferFromStatic

Runtime allocation eﬃciency Static vs. Stack Static vs. Stack staticvsstack.c

/ Runtime allocation eﬃciency Static vs. Stack Static vs. Stack staticvsstack.c

gprof results

/ Runtime allocation eﬃciency Stack vs. Heap Stack vs. Heap stackvsheap.c

1 #define NUMLOOPS (1000*1000*1000) 2 #define BUFSIZE 64 3 4 void allocateStack ( ) 5 { char myStackBuffer[BUFSIZE] ; 6 memset ( myStackBuffer, 0x66, BUFSIZE ) ; 7 } 8 9 void allocateHeap ( ) 10 { char *myHeapBuffer = malloc ( BUFSIZE ) ; 11 memset ( myHeapBuffer, 0x66, BUFSIZE ) ; 12 free ( myHeapBuffer ) ; 13 } 14 15 int main ( void) 16 { 17 for ( uint64_t i = 0 ; i < NUMLOOPS ; i++ ) 18 allocateStack () ; 19 for ( uint64_t i = 0 ; i < NUMLOOPS ; i++ ) 20 allocateHeap () ; 21 return(0); 22 }

/ gprof results

1 % cumulative self self total 2 time seconds seconds calls ns/call ns/call name 3 28.04 8.10 3.17 1000000000 3.17 3.17 allocateHeap 4 19.69 10.33 2.23 1000000000 2.23 2.23 allocateStack

Runtime allocation eﬃciency Stack vs. Heap Stack vs. Heap stackvsheap.c

/ Runtime allocation eﬃciency Stack vs. Heap Stack vs. Heap stackvsheap.c

gprof results

1 % cumulative self self total 2 time seconds seconds calls ns/call ns/call name 3 28.04 8.10 3.17 1000000000 3.17 3.17 allocateHeap 4 19.69 10.33 2.23 1000000000 2.23 2.23 allocateStack

/ Runtime allocation eﬃciency Malloc space consumption Malloc space consumption mallocsize.c

1 #define ELEMENTSIZE 32 2 #define NUMELEMENTS 1024*1024*128//4 Gigabyte 3 4 int main ( void) 5 { 6 char **bufferPointers = malloc ( NUMELEMENTS * sizeof(char*)); 7 for ( uint64_t i = 0 ; i < NUMELEMENTS ; i++ ) 8 bufferPointers[i] = malloc ( ELEMENTSIZE ) ; 9 10 getchar () ; 11 12 for ( uint64_t i = 0 ; i < NUMELEMENTS ; i++ ) 13 free ( bufferPointers[i] ) ; 14 free ( bufferPointers ) ; 15 16 return(0); 17 }

/ cat /proc/‘pgrep mallocsize‘/status | grep VmRSS

1 VmRSS: 7340304 kB

Overhead : M- M- M = M (~ %)

Runtime allocation eﬃciency Malloc space consumption Malloc space consumption mallocsize.c

/ Overhead : M- M- M = M (~ %)

Runtime allocation eﬃciency Malloc space consumption Malloc space consumption mallocsize.c

cat /proc/‘pgrep mallocsize‘/status | grep VmRSS

1 VmRSS: 7340304 kB

/ Runtime allocation eﬃciency Malloc space consumption Malloc space consumption mallocsize.c

cat /proc/‘pgrep mallocsize‘/status | grep VmRSS

1 VmRSS: 7340304 kB

Overhead : M- M- M = M (~ %)

/ Oh wonder, yes, it can :)

specialized on small allocations, implements a malloc fallback for big allocation acts predictively by allocating a bunch of elements ( slice ) even if only one single element is requested if any further elements of that type are requested, they are simply taken from the slice thus it’s behaving like an allocation cache this principle is heavily based on the slab memory allocator[]

be the slowest allocation mechanism produce several overhead Can this probably be done more eﬃciently ?

glib provides us with a slice allocator[]

Runtime allocation eﬃciency Malloc space consumption Heap allocation via malloc turns out to

/ Oh wonder, yes, it can :)

produce several overhead Can this probably be done more eﬃciently ?

glib provides us with a slice allocator[]

Runtime allocation eﬃciency Malloc space consumption Heap allocation via malloc turns out to be the slowest allocation mechanism

/ Oh wonder, yes, it can :)

Can this probably be done more eﬃciently ?

glib provides us with a slice allocator[]

Runtime allocation eﬃciency Malloc space consumption Heap allocation via malloc turns out to be the slowest allocation mechanism produce several overhead

/ specialized on small allocations, implements a malloc fallback for big allocation acts predictively by allocating a bunch of elements ( slice ) even if only one single element is requested if any further elements of that type are requested, they are simply taken from the slice thus it’s behaving like an allocation cache this principle is heavily based on the slab memory allocator[]

Oh wonder, yes, it can :) glib provides us with a slice allocator[]

glib provides us with a slice allocator[]

/ acts predictively by allocating a bunch of elements ( slice ) even if only one single element is requested if any further elements of that type are requested, they are simply taken from the slice thus it’s behaving like an allocation cache this principle is heavily based on the slab memory allocator[]

/ if any further elements of that type are requested, they are simply taken from the slice thus it’s behaving like an allocation cache this principle is heavily based on the slab memory allocator[]

Runtime allocation eﬃciency Malloc space consumption Heap allocation via malloc turns out to be the slowest allocation mechanism produce several overhead Can this probably be done more eﬃciently ? Oh wonder, yes, it can :) glib provides us with a slice allocator[] specialized on small allocations, implements a malloc fallback for big allocation acts predictively by allocating a bunch of elements ( slice ) even if only one single element is requested

/ thus it’s behaving like an allocation cache this principle is heavily based on the slab memory allocator[]

/ this principle is heavily based on the slab memory allocator[]

/ Runtime allocation eﬃciency Malloc space consumption Heap allocation via malloc turns out to be the slowest allocation mechanism produce several overhead Can this probably be done more eﬃciently ? Oh wonder, yes, it can :) glib provides us with a slice allocator[] specialized on small allocations, implements a malloc fallback for big allocation acts predictively by allocating a bunch of elements ( slice ) even if only one single element is requested if any further elements of that type are requested, they are simply taken from the slice thus it’s behaving like an allocation cache this principle is heavily based on the slab memory allocator[]

/ Return address of allocated memory is simply address of ﬁrstElement + ( number of used elements ) * elementSize Once a slice is fully occupied, another one is allocated If a slice element is freed, no more elements of that slice can be allocated A slice is freed once all its elements are freed

Runtime allocation eﬃciency Slice allocator Slice illustration

/ Once a slice is fully occupied, another one is allocated If a slice element is freed, no more elements of that slice can be allocated A slice is freed once all its elements are freed

Runtime allocation eﬃciency Slice allocator Slice illustration

Return address of allocated memory is simply address of ﬁrstElement + ( number of used elements ) * elementSize

/ If a slice element is freed, no more elements of that slice can be allocated A slice is freed once all its elements are freed

Runtime allocation eﬃciency Slice allocator Slice illustration

Return address of allocated memory is simply address of ﬁrstElement + ( number of used elements ) * elementSize Once a slice is fully occupied, another one is allocated

/ A slice is freed once all its elements are freed

Runtime allocation eﬃciency Slice allocator Slice illustration

Return address of allocated memory is simply address of ﬁrstElement + ( number of used elements ) * elementSize Once a slice is fully occupied, another one is allocated If a slice element is freed, no more elements of that slice can be allocated

/ Runtime allocation eﬃciency Slice allocator Slice illustration

/ Runtime allocation eﬃciency Glib slice allocator vs. malloc g_slice_alloc space consumption slicesize_glib.c

1 #define ELEMENTSIZE 32 2 #define NUMELEMENTS 1024*1024*128//4 Gigabyte 3 4 int main ( void) 5 { 6 char **bufferPointers = malloc ( NUMELEMENTS * sizeof(char*)); 7 for ( uint64_t i = 0 ; i < NUMELEMENTS ; i++ ) 8 bufferPointers[i] = g_slice_alloc ( ELEMENTSIZE ) ; 9 10 for ( uint64_t i = 0 ; i < NUMELEMENTS ; i++ ) 11 g_slice_free1 ( ELEMENTSIZE, bufferPointers[i] ) ; 12 free ( bufferPointers ) ; 13 14 return(0); 15 }

/ cat /proc/‘pgrep slicesize_glib‘/status | grep VmRSS

1 VmRSS: 5842772 kB

Overhead : M- M- M = M (~%)

Runtime allocation eﬃciency Glib slice allocator vs. malloc g_slice_alloc space consumption slicesize_glib.c

/ Overhead : M- M- M = M (~%)

Runtime allocation eﬃciency Glib slice allocator vs. malloc g_slice_alloc space consumption slicesize_glib.c

cat /proc/‘pgrep slicesize_glib‘/status | grep VmRSS

1 VmRSS: 5842772 kB

/ Runtime allocation eﬃciency Glib slice allocator vs. malloc g_slice_alloc space consumption slicesize_glib.c

cat /proc/‘pgrep slicesize_glib‘/status | grep VmRSS

1 VmRSS: 5842772 kB

Overhead : M- M- M = M (~%)

/ malloc minutes, seconds g_slice_alloc minutes, seconds

What about the time? Code for the upcoming stats is not quoted here, though it’s available for download ( heapsizeloop.c / slicesizeloop.c ) Allocating * single buﬀers with an size of bytes done * times takes

Runtime allocation eﬃciency Glib slice allocator vs. malloc So far we’ve seen that g_slice_alloc can very well outperform malloc in terms of space overhead

/ malloc minutes, seconds g_slice_alloc minutes, seconds

Code for the upcoming stats is not quoted here, though it’s available for download ( heapsizeloop.c / slicesizeloop.c ) Allocating * single buﬀers with an size of bytes done * times takes

Runtime allocation eﬃciency Glib slice allocator vs. malloc So far we’ve seen that g_slice_alloc can very well outperform malloc in terms of space overhead What about the time?

/ malloc minutes, seconds g_slice_alloc minutes, seconds

Allocating * single buﬀers with an size of bytes done * times takes

Runtime allocation eﬃciency Glib slice allocator vs. malloc So far we’ve seen that g_slice_alloc can very well outperform malloc in terms of space overhead What about the time? Code for the upcoming stats is not quoted here, though it’s available for download ( heapsizeloop.c / slicesizeloop.c )

/ malloc minutes, seconds g_slice_alloc minutes, seconds

/ g_slice_alloc minutes, seconds

/ Runtime allocation eﬃciency Glib slice allocator vs. malloc So far we’ve seen that g_slice_alloc can very well outperform malloc in terms of space overhead What about the time? Code for the upcoming stats is not quoted here, though it’s available for download ( heapsizeloop.c / slicesizeloop.c ) Allocating * single buﬀers with an size of bytes done * times takes malloc minutes, seconds g_slice_alloc minutes, seconds

/ Runtime allocation eﬃciency Glib slice allocator vs. malloc Statistics of sample allocations

/ slice allocators pool allocators[] dlmalloc[ ], tcmalloc[], jemalloc[] ...

Best know your memory requirements beforehand Choose the right type of buﬀer ﬁtting its purpose Look for alternative allocators

Runtime allocation eﬃciency Conclusion and outlook Tradeoﬀ

/ slice allocators pool allocators[] dlmalloc[ ], tcmalloc[], jemalloc[] ...

Choose the right type of buﬀer ﬁtting its purpose Look for alternative allocators

Runtime allocation eﬃciency Conclusion and outlook Tradeoﬀ

Best know your memory requirements beforehand

/ slice allocators pool allocators[] dlmalloc[ ], tcmalloc[], jemalloc[] ...

Look for alternative allocators

Runtime allocation eﬃciency Conclusion and outlook Tradeoﬀ

Best know your memory requirements beforehand Choose the right type of buﬀer ﬁtting its purpose

/ slice allocators pool allocators[] dlmalloc[ ], tcmalloc[], jemalloc[] ...

Runtime allocation eﬃciency Conclusion and outlook Tradeoﬀ

Best know your memory requirements beforehand Choose the right type of buﬀer ﬁtting its purpose Look for alternative allocators

/ pool allocators[] dlmalloc[ ], tcmalloc[], jemalloc[] ...

Runtime allocation eﬃciency Conclusion and outlook Tradeoﬀ

Best know your memory requirements beforehand Choose the right type of buﬀer ﬁtting its purpose Look for alternative allocators slice allocators

/ dlmalloc[ ], tcmalloc[], jemalloc[] ...

Runtime allocation eﬃciency Conclusion and outlook Tradeoﬀ

Best know your memory requirements beforehand Choose the right type of buﬀer ﬁtting its purpose Look for alternative allocators slice allocators pool allocators[]

/ Runtime allocation eﬃciency Conclusion and outlook Tradeoﬀ

Best know your memory requirements beforehand Choose the right type of buﬀer ﬁtting its purpose Look for alternative allocators slice allocators pool allocators[] dlmalloc[ ], tcmalloc[], jemalloc[] ...

/ Security concerns Security concerns Know your enemy

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles. The Art of War, B.C.

The upcoming guide about how to successfully abuse vulnerable software is based on methods described by Elias ”Aleph One” Levy[] and Jeﬀrey Turkstra[].

/ Security concerns Overflow caused program crash First stack overflow basicoverflow.c

1 void askForName ( void) 2 { 3 char name[8] ; 4 printf ("Please enter your name:"); 5 gets ( name ) ; 6 printf ("Hello%s\n", name ) ; 7 } 8 9 int main ( void) 10 { 11 askForName () ; 12 return(0); 13 }

/ Program execution $ echo "Joshua" | ./basicoverflow.elf Program output Please enter your name : Hello Joshua

Security concerns Overflow caused program crash First stack overflow basicoverflow.c